How many times do we have to repeat ourselves...? Our customers DO employ XSS and sql injection protection on their websites. So do we! The point we are trying to make is, security protections should be weighed against the actual need for protection. You don't just apply every security protection in the world to every website in the world, which is what many of you seem to believe. And yes, our demo website is hosted at GoDaddy.com, a hosting company local to our corporate offices. Many notable companies host with Godaddy... (Geez! am I going to have to defend our choice of hosting company now? How is that pertinent to this forum thread?)

Again, since you insist on posting off-topic comments, we offer the following appropriately pertinent response:

Space Shuttle Discovery (Orbiter Vehicle Designation: OV-103) is one of the three currently operational orbiters in the Space Shuttle fleet of NASA, the space agency of the United States. (The other two are Atlantis and Endeavour.) When first flown in 1984, Discovery became the third operational orbiter, and is now the oldest orbiter in service. Discovery has performed both research and International Space Station (ISS) assembly missions.

The spacecraft takes its name from previous ships of exploration named Discovery, primarily HMS Discovery, the sailing ship that accompanied famous explorer James Cook on his third and final major voyage. Others include Henry Hudson's ship Discovery which he used in 1610–1611 to search for a Northwest Passage, and RRS Discovery, a vessel used for expeditions to Antarctica in 1901-1904 by Scott and Shackleton (and still preserved as a museum). The shuttle shares a name with Discovery One, the fictional Jupiter spaceship from the films 2001: A Space Odyssey and 2010.

Discovery was the shuttle that launched the Hubble Space Telescope. The second and third Hubble service missions were also conducted by Discovery. She has also launched the Ulysses probe and three TDRS satellites. Discovery has been chosen twice as the return to flight orbiter, first in 1988 as the return to flight orbiter after the 1986 Challenger disaster, and then for the twin return to flight missions in July 2005 and July 2006 after the 2003 Columbia disaster. Discovery also carried Project Mercury astronaut John Glenn, who was 77 at the time, back into space during STS-95 on October 29, 1998, making him the oldest human being to venture into space.

Had the planned missions from Vandenberg Air Force Base for the United States Department of Defense gone ahead, Discovery would have flown these missions.

QuoteIf anyone posts a LEGITIMATE question regarding PhishCops(R), we will be happy to respond. If not, waste as much time as you like, but do not waste any more of ours.

There's a saying you remind me of, the saying goes "It's better to keep your mouth shut and appear stupid than to open it and remove all doubt".

First you claimed there was no protection because it had been deactivated due to an upgrade, then you said because it was your demo site, now you tell us that it's useless and unnecessary since it's not a real site, if it had been a real site then the tone you just heard would have been followed by real protection of the website.

The good news is that you have plastered PhishCops(R) enough times all over this thread that anyone looking at a search engine to do some research on your company surely will come across this thread and hopefully realize that you are selling VaporWare(R). You keep mentioning SSL certificates and other types of authentication, none of which prevent the type of Cross Site Scripting and/or SQL injections. The fact that you have SSL does not mean your site is secured, but as you put it, and tx pointed out, you seem to be missing the basic point. Perhaps this concept is way beyond you...

Maybe you should request a TPS report with the proper cover sheet first thing tomorrow when you get into your office.

And since you keep just repeating yourself and editing your posts a number of times because even you don't make sense to yourself, I'll consider this thread open for all to post..

I intended to abandon this post, but I never read such a ridiculous collection of statements as you just made and I had to respond.

We never claimed there was no protection on our site. We simply said that our webmaster had temporarily turned off certain protocols owing to the fact that he was upgrading the website at that time. Those protocols have been turned back on. We simply tried to point out that people were confusing the security on our casually-maintained demo website, with the PhishCops(R) product at our customer\'s websites, which are two entirely different things. Would you rate a Chevrolet truck based on the security of their website? The two are unrelated. That is the point.

Next, we never said such protections were useless or unnecessary. We said you dont just apply every security protection in the world to every website in the world, which is what many of you seem to believe.

Next, we never said it was not a real site. We said it was our demo site and that, naturally, we do not employ the same level of security on a simple demo site as our customers naturally employ on their websites.

We never said that SSL certificates and other types of authentication prevent cross site scripting. We mentioned those protocols simply to illustrate the point that, unless they are needed, you shouldnt spend money and time deploying them and supporting them. You should employ only as much security as is needed, but not unnecessary security.

Get your facts straight before posting such nonsense.

If you can\'t even cite the posts correctly, it makes you sound like your head is filled with vaporware!

To CrytpTiC,
No you are not mistaken. As we stated previously, those XSS (and the SQL injection) protections had been temporarily disabled while our webmaster completed his upgrade. The upgrade was completed and those protections have been turned back on. Unfortunately, some posters didnt read that. Of course, should anyone discover any XSS vulnerabilities, we would love to hear from you and I will pass them on to the demo site webmaster.

As for the re-editing of these posts, it is my job to make sure that correct information related to the PhishCops(R) product is published on the web. Many of the posters here (Thrill and others) simply seem to enjoy wasting everyones time. Unfortunately, it means I have to waste my time responding to them. I am required to maintain (as much as possible) a civil tone, but sometimes that is very difficult when dealing with such idiots. Hence the frequent editing of my posts. I would rather be kicking back and watching a movie on this fine Sunday afternoon.

Again, folks, this forum thread was started to answer questions related to PhishCops(R). You have an unique opportunity to post legitimate questions since I am currently actively responding to these posts. This is NOT a thread about XSS pr sql injection. There are other threads related to those topics.

QuoteMaybe SestusData isn't concerned with XSS and SQLi because he automatically escapes every dangerous character as he types?

If that were correct, he would have escaped the parenthesys like \(\'Thrill\'\).

QuoteAgain, folks, this forum thread was intended to answer questions related to PhishCops(R). You have an unique opportunity to post legitimate questions since I am currently actively responding to these posts. This is NOT a thread about XSS or sql injection. There are other threads related to those topics.

Umm.. last I checked this was sla.ckers.org, not PhishCops(R)Forums(TM).com. The main topics of these forums are relating to Web Application Security (and in this case, the lack thereof on your demo site which is not really that important to you guys so the protection had been removed temporarily while an upgrade was performed by your grandiose webmaster), so you attempting to request that everyone stick on topic about your product here, is like me requesting that Microsoft(R)Forum(TM)Users(WTF).com stick to discussing Snausages which my two doggies really enjoy..

I am positive that any user here that had legitimate questions about your product would have utilized your recently upgraded website to request further information, or who knows, maybe even read up on it there. So please stop assuming that us here at sla.ckers(TM/R/C2008) are actually posting to this thread in search of "Useful information in order to perform an informed evaluation" of your product.

First, our customers do protect against XSS and SQL injection on their websites (at least, they should be, since they are usually financial organizations with something to protect).

Next, about your MITM question. PhishCops(R) places PKI hash keys on the users machine. The keys are maintained by their browser and are not not traditional certificate keys which must be downloaded or installed. In a MITM attack, it is the fraudster who is connected to the legitimate website, not the user. Since there are no keys on the fraudsters computer, authentication fails. There is no amount of information which a fraudster can solicit from a victim that will permit them to access the victims account. Without the key, they cannot proceed, plain and simple.

And before you ask the next question, even if a fraudster could manage to steal the victims key from their computer, unless the fraudster can also replicate the victims computer to the authenticating website, authentication would still fail.

Of course, IF the fraudster can steal the users login credentials, AND compromise their device and steal their keys, AND replicate the users computer to the authenticating server, then authentication would succeed. To paraphrase the FFIEC on the subject, multi-factor authentication is not invulnerable, it is simply more difficult to compromise than single-factor methods.

Thank you for asking the FIRST legitimate question related to PhishCops(R).

For those of you who may be wondering about the escape characters in my posting, I am connected from home through a proxy server, and IT, not me, is inserting the characters in my posts.

Well folks, its been entertaining. I have to run. I will check back in the future to answer any other PhishCops(R)-related questions.

... and a last message for Thrill, this forum thread was started by an individual who posted a legitimate question about PhishCops(R) hoping to learn something. Its too bad that is not your intention because you are wasting everyones time.

QuotePhishCops(R) places PKI hash keys on the users machine. The keys are maintained by their browser and are not not traditional certificate keys which must be downloaded or installed.

I'm assuming by this that you mean the cookies that are set?

Quote In a MITM attack, it is the fraudster who is connected to the legitimate website, not the user. Since there are no keys on the fraudsters computer, authentication fails. There is no amount of information which a fraudster can solicit from a victim that will permit them to access the victims account. Without the key, they cannot proceed, plain and simple.
[snip]
Of course, IF the fraudster can steal the users login credentials, AND compromise their device and steal their keys, AND replicate the users computer to the authenticating server, then authentication would succeed.

In a browser based MITM situation the attacker would have access to the hash keys you've stored as cookies, they could also intercept the login credentials and since the requests would be coming from the users browser, replicating the computer is a moot point. After doing all that the server would generate a response containing the 6 digit key (the final step in authentication), this key is sent in the body of the html document as plain text, making it trivial to intercept and make use of.

In short it seems that your product offers no protection from phishing if the face of an xss vulnerability. And since some of the most popular ways to phish involve exploiting xss vulnerabilities, I call 'snakeoil'.

Quote... and a last message for Thrill, this forum thread was started by an individual who posted a legitimate question about PhishCops(R) hoping to learn something. Its too bad that is not your intention because you are wasting everyones time.

Yes, and since the entire purpose for this set of websites (ha.ckers, sla.ckers, fu.ckers and others) is for the sole purpose of answering inquiring minds questions regarding PhishCops(R), I guess I've now been found out.

But now I'm confused.. the Director of IT for PhishCops said:

QuoteOther products can't protect your members from man-in-the-middle attacks and hostile proxies, PhishCops can. Even with a stolen account number and password, a thief can't get into an account.

But just now you said:

Quotemulti-factor authentication is not invulnerable, it is simply more difficult to compromise than single-factor methods.

I think it's time you admit to yourself that to those who have a clue your product sounds phishy (pun intended) at best. I think you should stick to selling it to VP's and CTO's, I'm pretty sure even YOU might impress them with your technical prowess..

To Tx,
In answer to your follow-up question, NO, PhishCops(R) operates even if cookies are completely blocked. While we do leverage cookies if they are available, they are not absolutely required.

Next, while the request may be coming from the users browser, in a man-in-the-middle attack it is the fraudsters device that is connected to the authenticating website, hence the term man-in-the-MIDDLE. Obviously, the first challenge for the fraudster would be to obtain the users key, not an easy task in this situation. But lets suppose the fraudster could infect the victims computer with malware and obtain the key. Since the fraudsters computer is likely different than the users, the key would not validate and authentication would fail on that point alone. But lets suppose the fraudster manages to clone or replicate the users device to the authenticating website... the fraudster is still connecting from a different IP address. This would render the key invalid and authentication would fail. So, lets suppose the fraudster attempts to construct a valid key on their own. Even if the fraudster can spoof the users IP address to the authenticating server, the fraudster cannot construct a valid key for that IP without access to non-disclosed server-side PKI keys on the authenticating servers website which are used in the key exchange. And even if the fraudster has the cooperation of an employee at the authenticating website company and can obtain the server-side elements needed to construct a valid key, the keys includes time stamp and other one-time use elements that further render such keys unusuable after-the-fact. There are many other patent-pending security protocols which I naturally cannot discuss in a forum such as this, including HASDL, Key Multiplicity Detection, and others, but the point is, it is NOT snakeoil.

Finally, XSS is NOT widely used for phishing. Sorry to say, you are simply mistaken there. While I do not doubt that XSS-based phishing attacks are possible, in practical use, they are not common. The most common form of phishing is through the use of replicated websites and credential solicitation on those sites. Other methods include social engineering attacks, in-person, vishing (voip), and other methods. I wont argue whether or not XSS attacks are commonly used for phishing or not, the point is, even if a PhishCops(R)-equipped website had an XSS hole, this would have no impact of the PhishCops(R) authentication process. It is apples and oranges. One is not affected by the other.

PhishCops(R) is not snakeoil. It is a cryptographic multi-factor authentication process that uses mathematics algorithms to produce and validate PKI keys. It uses numerous advanced authentication concepts including key rotation, HASDL, HMAC, SHS, and other processes, many of which were developed by the NIST under the authority of the U.S. Dept of Commerce. Some of the largest application infrastructure organizations in the world, including 2 of the big-four credit card companies, numerous government agencies, and several internet-backbone organizations have thoroughly vetted and approved PhishCops(R). Billion-dollar corporations use PhishCops(R). So, no, it is not snakeoil.

I hope you recognize that I am naturally constrained as to the level of detail I can go into in a forum such as this. Short of signing an NDA, I am answering your questions as thoroughly as I can.

Any other questions?

Sestus Data Administration

PS. Thrill continues to mis-quote the posted information. It was the FFIEC who said multi-factor authentication is not invulnerable. I was paraphrasing their statement and said as much. If you insist on entertaining us all with your useless rants, Thrill, you could at least cite the posts correctly.

Yeah, I have a question. Does PhishCops(R) have it's own forums where it could answer questions for their users rather than wasting bandwidth on this site and then complaining about our postings when we post our opinions on their product?

As for the mis-quoting:

Paraphrasing: Putting into your own words the thoughts or ideas from someone else’s work.

If you do not believe multi-factor, or specifically PhishCops(R) to be vulnerable, then why even post that statement?

With as much as you edit your own posts you would think you could actually convey your actual feelings on the matter.. are you related to HRC by any chance? She seems to get misquoted quite often too.. watch out for that sniper fire homey..

to Thrill,
First, you are not offering your opinion on the product. You have no experience with the product so your posts are not opinions of the product. You are posting useless rants, insults, and generally wasting everyones time. We welcome opinion about our product from those experienced with it. You have no experience with the product so you can have nothing worthwhile to say about it. Why not admit as much and let people ask some legitimate questions?

Second, we never said multi-factor authentication was invulnerable. In fact, we go to great lengths to make the point ourselves, that multi-factor authentication IS vulnerable to many forms of fraud. The quote you cited was not our quote. It was offered by an IT manager who was interviewed by the Credit Union Journal. Also, he did NOT say PhishCops(R) was invulnerable. He said it can protect members from man-in-the-middle attacks and hostile proxies and that, even with a stolen account number and password, a thief cant get into an account. This is not the same thing as invulnerability. We openly acknowledge that any multi-factor authentication can be compromised (see: http://www.phishcops.com/tokenlibrary.asp), although we do acknowledge that PhishCops(R) is very difficult to compromise. Again, please get your quotes right.

Finally, despite your desire for us to leave off responding to posts in this forum (and believe me when I say that dealing with idiots like you leaves me with the same desire), we responded to this forum because the original poster was requesting information about PhishCops(R). This forum thread was started by people who wanted to learn about PhishCops(R). Why not give everyone a break and let those people with legitimate questions try and learn something?

To Thornmaker,
Your point is well taken. The original poster DID specify he was welcoming rants as well as suggestions and pointers on the topic of PhishCops(R). I just assumed that he actually wanted to keep the focus on that topic.

Since it appears that everyone is more interested in posting rants than in asking legitimate questions (with the exception of Tx), I will discontinue my participation or monitoring of this forum. Its too bad really, because you all had an extremely rare opportunity to post legitimate questions to someone at the company who is both authorized and qualified to post responses on this topic. I happened to come across this forum and had decided to make myself available to those sincerely interested in learning more about PhishCops(R). Instead, it seems that everyone is more interested in ranting.

If anyone wishes to learn more about the PhishCops(R) product, you are welcome to contact us through our regular website channels.

I'm curious as to how many individuals have posted through the SestusData account, and if the statements made here would be endorsed, or would reflect the attitudes and opinions held by all of the other members of the company as well.

QuoteYou have no experience with the product so your posts are not opinions of the product

Are you absolutely sure of this statement? I actually did go through your entire demo experience, added the bookmark as requested, created the account, authenticated using it, then promptly removed all traces of the test on my machine.

QuoteYou are posting useless rants, insults <snip> and believe me when I say that dealing with idiots like you

From your very initial post, you took on the attitude that all posters on this board were idiots. No one here called you any names, yet you feel the need to insult me, my opinions and personal/professional experience. The users that pointed out flaws to your system, rather than thanking them, you acted as if they were fucking stupid for having found flaws on your system while it was being 'upgraded'.. as if we knew, or gave a rats ass about that.

The best approach would have been to gracefully thank the people who pointed out the flaw, and then explain that the system was being upgraded. However, since you are a complete imbecile that thinks he knows much more than anyone else on every single subject, you chose to stick around and argue other people's opinions and findings of your stupid ass software/solution.

The fact that you continue to try and censor the opinions of users of this board goes to show that you seriously think your shit doesn't stink, when in fact, your shit might stick quite a bit less than your knowledge of security. You'd be better off writing for movie studios or fantasy novels.. maybe you can work on The Net 2 and showcase your technology by putting a small icon on the top right corner of every web page that is protected by PhishCops(R).

Also, the fact that you keep requesting people post questions about your product on this site, which by the way, is in no way affiliated with you nor your company, nor does it endorse your crappy ass vaporware in any way shape or form, also invites people to post their opinions. If you want to regulate what questions and opinions are posted, I suggest you get your head out of your ass and put up your own forums where you can exercise your nazi censoring techniques you fucking imbecile.

The only person that has been wasting people's time around here is you by trying to censor and/or put down those who have expressed their opinions as the original poster of this thread requested.

@Awesome AnDrEw - Originally they were posting from a single IP, but then there were quite a few others.. even an IP from Slovenia.. so there could be multiple posters.

First, Thrill, unless you work for an organization which has implemented PhishCops(R), you can have no experience with the product other than that of a casual demo site user, and you did not offer any opinions even as that! Did the demo work, yes or no? You wont even own up to that. Beyond that limited exposure, you have NO experience with the product, so why not admit it?

Second, YOU should talk about censorship. I think the forum attendees would like to know that the reason we found it necessary to use proxy servers around the globe was due to the fact that Thrill kept blocking our IP addresses in an attempt to stop us of from responding to his outrageous tirades. If you dont like us posting the truth, Thrill, why not just close the thread?

Third, we DID explain that the site was being upgraded. You apparantly didnt read that.

Fourth, we have not been trying to censor anything. In fact, just the opposite. We were actively soliciting a discussion of the product according to the original posters request. All we have done is attempt to keep the discussion focused on the topic, something which you apparently were uninterested in doing.

Fifth, I work for the company and it is my JOB to respond to mis-information about the product, and to provide information when asked. Why not give me and everyone else a break and leave off with your spewing. Everytime you say something so outrageously incorrect, I am required to attempt to post a response. Its my job. Why not give me a break and leave off with your tirade. If you really have something useful or constructive to contribute, I am sure everyone would appreciate it. I know I would.

Finally, do I really have to keep monitoring this post and responding to Thrills outrageous nonsense? I have better things to do with my time and so does everyone else. Thrill, you need professional help. You seem unable to recognize that your behavior is abusive, crude, and counter-productive to the discussion. Again, if you dont want people to post questions about PhishCops(R) or for us to respond to those questions, then close the thread. Otherwise, quit spewing and allow people to attempt to learn something.

>> I think the forum attendees would like to know that the reason we found it necessary to use proxy servers around the globe was due to the fact that Thrill kept blocking our IP addresses in an attempt to stop us of from responding to his outrageous tirades

I'm not so sure about that. I've been blocked a couple dozen times in the past week, but its due to the firewall thinking I am DoSing the server and then blocking me. My browser is oddly not caching the content so files are being downloaded too much. Same could be happening with your browser and seeing how many times you view/edit your posts I don't see why the firewall would not block you.

"Don't wrestle with a pig, in the end, you both get dirty and the pig likes it."

You are correct, I have no experience with the product and never claimed to, other than your demo, which I'm sure is the level of experience of everyone else who posts on this board, and which I went through so I could post my 'opinion' on the matter. Now, if the demo does not in any way reflect the actual workings of your software/solution, then why in hell do you have it up? I'll let you drive a Ferrari, but in truth what you are getting is a Corolla???

As for blocking your IP.. I have one word.. bwuahahahahaha! you fucking moron, I have 0 access to the firewall and even if I did, why would I want to prevent you from digging a larger whole than you have already dug for yourself? But maybe the rules protecting the firewall noticed some strange behavior coming from your IP address which caused it to block you???

The topic of this board again is Web App Sec, which != PhishChops(R). The fact that one of the members of this board requested "OUR" opinion on it does not signify that it is an invitation for you to take over this thread, nor for you to come in pontificating the "truth about our product".

As for my wasting everyone's time, the only one complaining is you, or are you failing to realize this? I know I know, we missed a really great opportunity to ask some serious questions about your product.. but maybe if we're really interested, you'll set up a WebEx demonstration for us.. but I guess if we were really that interested, we could just contact you on YOUR OWN FUCKING WEB SITE.

To Thrill,
You are a sorry piece of work. And I agree with your own assessment, you are a pig. It is people like you that makes forums such as these tiresome and unproductive for the rest of the members.

To Cryptic,
Perhaps your right. But the timing of the IP blocking cooincides almost to the minute of each of Thrills posts. Also, as he disclosed himself, he has access to the members IP addresses, which raises the suspcicion that he is responsibile for the blocks. We could be wrong and are certainly willing to concede that point.

Thrill, my boss has just instructed to cease communicating with you. To use his words, you are obviously just some forum jerk who enjoys the anonymity that such venues provide to spew and waste peoples time. Since you obviously have nothing to contribute and have no legitimate questions, I may no longer respond to your posts.

I remain willing to answer anyone elses legitimate questions about the product.

Oh the irony.. and did your boss 'instruct' the world in general, or just you?

Let me go ahead and re-cap what has gone on here, for archival sake:

You posted:

QuoteHad the above user performed the same test the following day, he would have seen that there are no SQL injection issues related to the product.

Which lucky for me, I copied it before you edited your own post, and then I made the comment of:

QuoteSounds to me like a new policy needs to be in place for doing server updates/upgrades. There's absolutely 0 chance that I would turn off the majority of protections to my public facing servers to do an upgrade.

You replied with:

QuoteOur demo website is just that, a simple demo website. No financial, customer, or other sensitive information can be accessed from this demo website.

and then some babble about not needing to be as secure as the real thing, blah blah blah...

I then wrote:

QuoteAttacker finds demo site, demo site vulnerable. Attacker injects malware, malware then gets transferred to admins machine due to vulnerable browser, admin then visits 'live site' logging in with 'admin' credentials, admin gets called away to one of those really interesting meetings, attacker sees idle time, attacker takes control of browser and 'admin session'..

Of course there was no direct response from you, but then you began to insult the users of this forum by posting this:

QuoteThis forum serves as a sounding board for individuals who claim an understanding of security, yet it is clear that many cannot differentiate between security method and application. One does not install a two ton magnetic-lock vault door to protect access to a backyard storage shed.

Then I mention how I was still laughing so hard that I could barely type, then again you went on the offensive and posted this:

QuoteWe're sorry that you took offense at our response. We were sincerely trying to assist you with understanding the proper application of security techniques. There is such a thing as too much security and when a process does not warrant a certain level of security, adding that security becomes counter-productive.

To which I responded to this:

QuoteThere could never be too much security for a company that claims to know security and privacy. But then that's the difference between those who know security and the managers that just quote snippets from press releases.

And then your ignorant response was this:

QuoteBy your misguided logic, every website in the would must employ SSL certificates, challenge questions, risk-based analysis, geo-location analysis, hardware and software tokens, captchas, and anything else you can think of. After all, you believe "There could never be too much security".

and then ranted about considering this thread closed a few times.. A couple of other people also commented on your ignorant statements, and then you chose to insult them as well:

QuoteYou seem to be missing the basic point. Perhaps this concept is beyond you, but I will make one last attempt to explain....

And then you ranted about bologna and the space shuttle, and all the while I was not posting at all, but then you posted this:

QuoteWe're through with this. There are just some people you can't reach.
Post away folks. If anyone has a legitimate question re: PhishCops(R), you may contact us through our regular websites.

And:

QuoteI am required to maintain (as much as possible) a civil tone, but sometimes that is very difficult when dealing with such idiots.

And at this point I pointed out the fact that these forums, along with other sites, are dedicated to Web App Security and not product support for your product. Regardless of who started the thread, and what their question was, this site remains a WebAppSec forum, not PhishCops(R) support or Q&A. I am almost positive that the user who requested OUR opinion on your software was fully aware that he could contact you for a WebEx demonstration, but instead wanted to get input from members of this forum, which unfortunately for you, includes me.

As for the anonymity you claim I am hiding behind, my name is [censored], you can see my picture HERE and if you want my Cell Phone number, just let me know and I will gladly send you a private message on this board, and if you are ever in Sunnyvale or Mountain View, California areas, please by all means look me up.